CVE-2026-44645

Source
https://cve.org/CVERecord?id=CVE-2026-44645
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44645.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44645
Aliases
Downstream
Related
Published
2026-06-17T22:08:19.354Z
Modified
2026-07-15T01:48:53.630098340Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Details

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call." The per-iteration time check is reached only when the body contains at least one template node, so a template such as {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45× over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration. Deployments that rely on a finite renderLimit for DoS protection (common in multi-tenant template-authoring environments) can still be forced by a single crafted template to monopolize a Node.js event-loop worker for attacker-controlled time, potentially stalling in-flight requests, with availability impact only. This issue has been fixed in version 10.26.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44645.json"
}
References

Affected packages

Git / github.com/harttle/liquidjs

Affected ranges

Type
GIT
Repo
https://github.com/harttle/liquidjs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.26.0"
        }
    ]
}

Affected versions

v1.*
v1.2.0
v1.3.3
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v10.*
v10.0.0
v10.1.0
v10.10.0
v10.10.1
v10.10.2
v10.11.0
v10.11.1
v10.12.0
v10.13.0
v10.13.1
v10.14.0
v10.15.0
v10.16.0
v10.16.1
v10.16.2
v10.16.3
v10.16.4
v10.16.5
v10.16.6
v10.16.7
v10.17.0
v10.18.0
v10.19.0
v10.19.1
v10.2.0
v10.20.0
v10.20.1
v10.20.2
v10.20.3
v10.21.0
v10.21.1
v10.22.0
v10.23.0
v10.24.0
v10.25.0
v10.25.1
v10.25.2
v10.25.3
v10.25.4
v10.25.5
v10.25.6
v10.25.7
v10.3.0
v10.3.1
v10.3.2
v10.3.3
v10.4.0
v10.5.0
v10.6.0
v10.6.1
v10.6.2
v10.7.0
v10.7.1
v10.8.0
v10.8.1
v10.8.2
v10.8.3
v10.8.4
v10.9.0
v10.9.1
v10.9.2
v10.9.3
v10.9.4
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.2.0
v2.2.1
v3.*
v3.0.0
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v4.*
v4.0.0
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.1.0
v5.1.1
v5.2.0
v5.3.0-0
v6.*
v6.0.0
v6.0.1
v6.1.1
v6.2.0
v6.2.1
v6.3.0
v6.3.1
v6.4.0
v6.4.1
v6.4.2
v6.4.3
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.1.0
v7.2.0
v7.2.1
v7.2.2
v7.3.0
v7.3.1
v7.4.0
v7.5.0
v7.5.1
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v8.2.0
v8.2.1
v8.2.2
v8.2.3
v8.2.4
v8.3.0
v8.4.0
v8.4.1
v8.5.0
v8.5.1
v8.5.2
v8.5.3
v9.*
v9.0.0
v9.0.1
v9.1.0
v9.1.1
v9.10.0
v9.11.0
v9.11.1
v9.11.10
v9.11.11
v9.11.2
v9.11.3
v9.11.4
v9.11.5
v9.11.6
v9.11.7
v9.11.8
v9.11.9
v9.12.0
v9.13.0
v9.14.0
v9.14.1
v9.15.0
v9.15.1
v9.16.0
v9.16.1
v9.17.0
v9.18.0
v9.19.0
v9.2.0
v9.20.0
v9.20.1
v9.21.0
v9.22.0
v9.22.1
v9.23.0
v9.23.1
v9.23.2
v9.23.3
v9.23.4
v9.24.0
v9.24.1
v9.24.2
v9.25.0
v9.25.1
v9.26.0
v9.27.0
v9.27.1
v9.28.0
v9.28.1
v9.28.2
v9.28.3
v9.28.4
v9.28.5
v9.28.6
v9.29.0
v9.3.0
v9.3.1
v9.30.0
v9.31.0
v9.32.0
v9.32.1
v9.33.0
v9.33.1
v9.34.0
v9.34.1
v9.35.0
v9.35.1
v9.35.2
v9.36.0
v9.36.1
v9.36.2
v9.37.0
v9.38.0
v9.39.0
v9.39.1
v9.39.2
v9.4.0
v9.4.1
v9.4.2
v9.40.0
v9.41.0
v9.42.0
v9.42.1
v9.43.0
v9.5.0
v9.6.0
v9.6.1
v9.6.2
v9.7.0
v9.7.1
v9.7.2
v9.8.0
v9.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44645.json"